This study will point out the need for information security governance. Since the risk that a specific information security incident will occur is not always obvious, it is difficult for an organisation to invest time and money in information security governance. An information security governance model should therefore be extensive enough to include all possible security scenarios. This should enable any implementing organisation to prevent or indirectly intervene in the occurrence of security-related incidents within its perimeters. An analysis of the existing models will be conducted and will combine drivers from the corporate governance, information technology governance and information security governance disciplines. It can be expected that the information security governance model will inherit a number of the respective best practice and related documents’ benefits and advantages. These inherited benefits add enormous value to both the best practice model and the information security governance discipline.